Risk: historically grown authorizations
Restrict Application Server Login
Only current profile data is always recorded, so that obsolete profiles and permissions in the target system cannot be deleted by transport. This data remains associated with the users and remains effective until it clears a user synchronisation with the Cleanup option (transaction PFUD).
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Consulting firms adjust the roles and authorizations in retrospect. This usually means "making the best of it" and making ad hoc adjustments - in other words, not fixing the root cause and cleaning up from scratch. Companies should therefore ask themselves: how can this be avoided? What requirements must a DSGVO-compliant authorization concept fulfill? How can we remain meaningful regarding the authorizations of specific individuals in the system and the purpose of the authorizations?
Evaluation of the authorization check SU53
Today we come to the error analysis with authorizations. The best thing that can happen is the error of the type: "I don't have authorization to do this and that!" (CASE1). Worse is the case that someone has too many permissions, i.e. the type: "User xy should not have this permission anymore" (CASE2). How to proceed? First of all we come to case 1 This case, that someone has no authorization for something, supports the system excellently! The code word is SU53! If a transaction encounters an authorization error, then this error is written to a memory area that can be displayed. For this there is once the transaction SU53 or the menu selection "System/Utilities/Anc authorization check". With this function, the system outputs information showing which authorization objects are missing for the user.
Roles can be cut so that, for example, they only have display or change permissions. Furthermore, it could be differentiated between customising, master data and movement data maintenance.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
All navigation options in the form of external services are defined in the customising of the CRM business role in the form of a generic outbound plug mapping to the navigation bar.
After defining the roles and generating the corresponding authorization profiles, the individual persons in the company are then assigned to the roles.